Business Operations Support Center
Date signed: 3/10/2025
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-1993388-626257 |
| Name: | Business Operations Support Center |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Identify the operator: | Agency |
| Is this a new or existing system? | New |
| Does the system have Security Authorization (SA)? | No |
| Planned Date of Authorization | 3/28/2025 |
| Describe the purpose of the system | The Business Operations Support Center (BOSC) application is primarily used to search for information in troubleshooting access issues to supported systems. Along with displaying list of resource files, the application relies on an Artificial Intelligence chatbot to scan all Frequently Asked Questions (FAQs), Knowledge base resource guides and prepare easily digestible and direct answers. For questions that cannot be answered or need additional support, the application can also be used to initiate the creation of tickets. These support tickets will in turn be created on Service Now on the backend. The BOSC application allows the user to check status on those tickets at a later point as well. The BOSC application will send a secure, short-lived URL to the email address, when clicked will display brief status of tickets created using that email address. When tickets are created, the BOSC application requires that users provide their first name, last name, email address, and telephonic contact to initiate Service Now ticket creation. In the event the AI chatbot is not able to successfully respond to a customer’s needs, that customer may be routed to additional helpdesk support services via live chat or contact by telephone managed via CXOne system. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The BOSC application will collect first name, last name, email address and phone number of the user when a help desk ticket is created for assistance with an issue. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The BOSC application is a system that will allow internal CMS Users to create and query the status of their tickets. Upon the creation of the ticket the user will need to provide their first and last name, email address and phone number. This metadata will be stored within the EUS application and shared with the Service Now application where the application will be processed and stored. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. | Employees |
| How many individuals' PII in the system? | 10,000-49,999 |
| For what primary purpose is the PII used? | The BOSC application collects PII to populate Service Now tickets on the backend. PII is provided for helpdesk representatives to respond to user issues and apply corrective actions. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | This data will also be used for training purposes. |
| Describe the function of the SSN. | Not applicable. |
| Cite the legal authority to use the SSN. | Not applicable. |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Section 1899 of Title XVIII of the Social Security Act (42 U.S.C. 1395 et seq.) |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains | In-person |
| Identify the sources of PII in the system: Government Sources | Within the OPDIV |
| Identify the sources of PII in the system: Non-Government Sources | |
| Identify the OMB information collection approval number and expiration date | Not applicable. |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The BOSC application will prompt the user via notification on the screen that their PII will be collected prior to proceeding with use of the system. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | There is no option to opt-out the collection of information. The information collected is used to verify identify with the corresponding ticket. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Not applicable. Service Now, the system the BOSC application communicates with, is in a separate boundary and has an approved PIA associated with their system with how they handle PII and user data. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Individuals are notified annually in the 'Medicare & You' handbook of their right to file a complaint if they believe their privacy rights have been violated. The 1-800-MEDICARE phone number is included in the handbook and there is more information on Medicare Homepage. When an individual calls 1-800-MEDICARE, the appropriate area at CMS would work with the individual to make sure the complaint is resolved. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Not applicable. The BOSC application only collects PII necessary to enable the creation of a ticket. PII collection is considered on a change-by-change basis via the CMS Security Impact Assessment (SIA) process when application fields are revised. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | CMS Users will submit their information by creating their ticket via the BOSC application and will not have access to any PII. Direct Contractors will access the tickets created by the end users through role-based access. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Database Administrators will access the tickets created by the end users through role-based access, ensuring they only have the permissions necessary adhering to the least privilege principle. |
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | CMS employees are required to take the annual Security and Privacy Awareness training, which includes an examination at the end to certify completion. CMS employees are required to take annually the HHS Records Management training, which is designed to help inform of the basic responsibilities for managing federal records, including the laws, policies, and procedures that govern federal records management. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | Not applicable. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The application adheres to data retention and destruction policies/procedures that follow National Archives and Record Administration (NARA) guidelines related to data retention and NIST guidelines related to data destruction. More specifically, the BOSC application adheres to the following NARA general records schedule guidelines: DAA-0040-2012-0014-0001; records containing PII will be maintained for a period of up to 6 years after the annual cutoff is determined and destroyed in accordance with existing agency and federal government guidelines, policies, and procedures. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Not Applicable. PII is not stored within the BOSC application. Storage is out of scoped and is defined in the CMS Service Now System Security & Privacy Plan (SSPP). |
| Identify the publicly-available URL: | External User Services (EUS) Help Desk |
| Does the website have a posted privacy notice? | Yes |
| Is the privacy policy available in a machine-readable format? | Yes |
| Does the website use web measurement and customization technology? | Yes |
| Select the type of website measurement and customization technologies is in use and if is used to collect PII. (Select all that apply) | Other - Adobe Customer Journey Analytics (CJA) |
| Other - Collects PII?: No | |
| Does the website have any information or pages directed at children under the age of thirteen? | No |
| Does the website contain links to non-federal government website external to HHS? | No |
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services